Security audit

Agensi MCP — AI Agent Skill Marketplace

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed connector to Agensi's remote skill marketplace, with the main caveat that searches go to Agensi's service.

Install this only if you are comfortable connecting your agent to Agensi's MCP service. Avoid sending sensitive prompts, private repository details, or confidential search terms through the marketplace tools, and review any returned skill listings or install instructions before acting on them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This markdown file instructs users to connect their agent to `https://mcp.agensi.io/mcp` and then use remote tools, but it does not disclose any privacy or data-sharing implications of sending prompts or search terms to a third-party service. For a skill that affects network/privacy behavior, the description should explicitly warn users that their requests are transmitted externally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.